IoT Device Security is Being Seriously Neglected

There are roughly 8 billion IoT devices connected today. By the early 2020s, it is estimated that there will be 25 to 30 billion IoT devices worldwide, and 25% of cyber-attacks will be targeting IoT devices.

Needless to say, IoT manufacturers are scrambling to keep up with this growing demand. Unfortunately, these devices generally are not equipped with proper security protections, and therefore create vulnerabilities in networks (painfully illustrated by the recent Mirai botnet attack).

The nascent IoT landscape has been compared to the early days of the internet. Companies all over the world rushed haphazardly into the internet “gold rush” without adequately addressing internet security. Viruses, worms, and spam subsequently descended on users. In many ways, history may be repeating itself with IoT.

Peter Winston is CEO and founder of Integrated Computer Solutions, which creates connected and embedded devices built on UX, engineering and security. According to Winston, “The bottom line is simple: manufacturers need to take IoT device security seriously. They need to prioritize security and address it from the outset — incorporating it into IoT device design and development, rather than handling it as an afterthought right before shipping. By then, it’s too late to make impactful changes, and an update here and there is insufficient.”

Unfortunately, IoT device manufacturers have not prioritized security to date, mostly because they are motivated by profit; they want to bring as many of these devices to market as quickly and as cheaply as possible. Implementing security checks that they are not required to is expensive and time-consuming. Embedding adequate levels of security into IoT devices would cost more, require specialized expertise, and may even involve product redesigns to accommodate different types of processors that power the security features. Therefore, the vulnerabilities proliferate. Currently, 48% of U.S. companies with IoT devices on their network have been breached.

Last year’s infamous Mirai botnet attack used IoT devices to mount wide-scale distributed denial of service (DDoS) attacks, disrupting internet service for more than 900,000 Deutsche Telekom customers in Germany and infecting almost 2,400 TalkTalk routers in the UK. Even such a large-scale attack hasn’t inspired manufacturers, or even consumers, to seriously consider the security risks of IoT devices on a grand scale. But networks can be hacked through these devices, potentially wiping out organizations or even entire cities.

So, what can be done to address these security flaws before more of these types of attacks occur? According to Winston, “Ultimately, security needs to be baked into every device at the operating system level. It shouldn’t be up to an individual vendor at the application level. And the level of device security should match the audience. If you’re selling your connected device to the CIA — if it has to work in a highly secure building, a place where a breach could be catastrophic — there’s a different expectation than if you’re selling a toy. Yes, they both require you to lock the doors and close windows. But for the CIA, you also need to seal every crack and add multiple deadlocks to reinforced doors.”

Winston goes on to say, however, that “[T]hat won’t happen without some sort of mandate or regulation. The same way the auto industry had to be pushed to embrace passenger safety, I think the IoT industry may eventually need to be compelled to truly prioritize security. But it should. Security is likely one day to become an important selling feature — even a competitive advantage for manufacturers that do it well.”

And luckily, some legislators have begun to take the issue seriously. Back in in August, Sen. Mark Warner (D-Va.) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. The bill would establish standards for IoT devices purchased by the U.S. government. They must be free from known vulnerabilities when sold and have adequate data encryption. IoT vendors would be required to ensure the devices can be patched when security updates are available, and that the devices do not use hard-coded (unchangeable) passwords.

But the bill hasn’t yet been passed by the Senate and has only been referred to the Committee on Homeland Security and Governmental Affairs. The bill also only addresses IoT devices sold to the government; the entire private sector is still largely in a Wild-West scenario when it comes to IoT security. Hopefully some type of universal security standards can be implemented sooner rather than later. However, if history is any indication, it will probably take more catastrophes to inspire any meaningful progress to be made.

To explore how leading businesses today are upgrading and optimizing their network infrastructures to better handle the new wave of IoT data, check out this comprehensive research report by Aberdeen’s Jim Rapoza.